John:
On Sat, Jun 22, 2002 at 08:51:31PM -0400, Lauro, John wrote:
> Hello,
>> I am trying to understand some of the dshield reports...
>> 1. The Top 10 most wanted (at http://www.dshield.org/top10.html)
> states "(Interested in more detailed reports? Join the mailing list
> and ask for it ;-) ..).", and clicking on the link states "No such
> list dshield". Is that list meant to be this list?
I'll let Johannes or somebody else tackle that..
> 2. On the subnet report, I think there is a problem (maybe some data
> is newer then other?), or I am a little confused what the numbers
> mean... I was checking one of the IPs scanning our network, to double
> check that it showed up in the dshield database...
>> At the top level, for 141/8 it has:
> Sources: 7682
> Targets: 231768
> Reports: 303834
141/8 represents hosts/net: 16,777,214
> Then cling on 141/8, it has 141.210/16 (along with a bunch of other
> subnets):
> Sources: 68
> Targets: 275
> Reports: 572
141.210/16 represents hosts/net: 65,534
> After you click on 141.210/16...
> Source Sources Targets Reports
> 141.210.010/24 2 2 2
> 141.210.016/24 21 28 34
> 141.210.162/24 2 3 3
> 141.210.178/24 1 3 5
> 141.210.180/24 1 2 3
> 141.210.181/24 1 64276 120344
> 141.210.186/24 1 190 464
141.210.0/24 represents hosts/net: 254
So each individual line within the 141.210.0/24 grouping could only
have a possible total of 254 individual hosts.
Of the possible 254 in 141.210.016/24, for example, 21 individual
hosts have been reported performing probes.
Any given /24 just doesn't have that many hosts in it, so the numbers
(at least for the blocks you've been looking at..) cannot be greater
than 254. The likelyhood of a lot of hosts in a /24 *all* doing probes
is not that great, I'd guess..
> Why are the numbers for 141.210/16 so low? I tried forcing a refresh
> on the page, and looked at the date of the page according to the
> browser, and it has today's date.
- John
--
"You are in a little maze of twisty passages, all different."
PGP key http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5